Shodan is a search engine designed to allow users to search through information on devices that are connected to the internet. The site, named after the AI from the System Shock series of games has been around since 2009, making news ever since as it has allowed access to potentially unsafe systems that have been exposed to the public internet, such as power stations and oddities including gym equipment. The newest feature to be added to Shodan has now put it back under the spotlight with a newly added section of the site allowing users to browse and view vulnerable webcams.
These feeds capture all manner of activities, from people’s offices and kitchens to far more worrying things including banks, schools, laboratories, drug plantations and even sleeping babies. Security researcher Dan Tentler told Ars Technica “It’s all over the place, practically everything you can think of.” He went on to explain that the prevalence of vulnerable Internet of Things (IoT) devices is the result of a race to the bottom by webcam manufacturers. Typical users tend not to value security and privacy to the point that they’d pay more for a product, allowing manufacturers to slash the costs of their devices to maximize profit. The end result of this race is a slew of cheap insecure devices being on the market and filling more and more homes as times go by.
The vulnerability of the devices is rooted in their use of the Real Time Streaming Protocol (RTSP) on port 554 to share their video, but often have no authentication systems in place to protect it from access. Many of the devices have surfaced on Shodan as the site crawls the internet searching for IP address with ports open to connections. If the port provides a video feed and lacks any authentication, it captures an image from the feed, records the IP address and port and moves on. While Shodan may take flak for publicly exposing so much private footage, it is hardly the one to blame and, in fact, sheds light on the poor state of security often applied to consumer IoT products. Tentler estimates that millions of insecure webcams are connected and easily discoverable through Shodan.
Shodan’s image is available to its paid users at images.shodan.io while those users with free accounts can find an array of video devices by using the search filter “port:554 has_screenshot:true“. It is truly frightening how much is haplessly made available to anyone online, with users expecting manufacturers to handle the security for them, but the manufacturers being unwilling to raise the cost for the sake of security. Hopefully, the images made public by this new feature of Shodan will convince both users and manufacturers to value cybersecurity more in this increasingly connected world.